Re: [Pgi-wg] [gridshib-user] comments regarding a VOMS-SAML token--ANY plan to make VOMS SAML assertion be compatible with WS-Security SAML Token profile?
hi voms folks, all, The current voms SAML assertion is not compatible with WS-Security SAML Token profile. I would ask is there any plan to change it to make it be compatible? I ask this because I think if so, the SAML assertion can be used for SOAP message layer authentication, other than just including SAML attribute assertion. Thanks Weizhong Qiang On Tue, Feb 10, 2009 at 5:21 AM, Tom Scavo <trscavo@gmail.com> wrote:
Thanks to Benjamin for posting this VOMS-SAML response to gt-user. A critique (of the SAML, not Benjamin :) follows.
- Note that the output is a <samlp:Response> element, not a <saml:Assertion> element. This is wrong. The requester must consume the response. Not sure why this isn't happening.
- The value of the <saml:Issuer> element in the response is a DN but the Format XML attribute is missing. This is a bug. The default Format is "unspecified" but clearly this is not.
- Second-level status codes are desirable so they can be echoed on the command line (if any).
- Same comment about the <saml:Issuer> element in the assertion.
- The use of SAML metadata requires that the Format on the <saml:Issuer> element be "entity" but clearly it is not. Thus the use of SAML metadata by the relying party is precluded.
- Don't know if Shibboleth/OpenSAML can verify the signature (which is tricky business). This is a future experiment that needs to be done.
- The <saml:SubjectConfirmation> element contains a <ds:X509Certificate> element, which precludes the binding of this holder-of-key assertion to a proxy certificate. This is a bug. Use a <ds:X509SubjectName> element instead (which causes the NameID itself to be redundant).
- If the assertion is bound to a proxy certificate, the NotBefore and NotOnOrAfter attributes are redundant and superfluous. In fact, they may be wrong since they must agree with the NotBefore and NotOnOrAfter fields of the proxy.
- Since the client authenticated directly to the server, a <saml:AuthnStatement> is desirable (not required, but potentially useful at the relying party).
- The NameFormat XML attribute on the <saml:Attribute> element should be "uri" not "unspecified".
- The "xsi:" prefix on the <saml:AttributeValue> element is undefined. This is a bug.
- The <saml:AttributeValue> elements do not conform to the XACML Attribute Profile (actually, I don't think the attributes conform to *any* SAML V2.0 attribute profile).
Hope this helps, Tom
---------- Forwarded message ---------- From: Benjamin Henne <henne@rvs.uni-hannover.de> Date: Wed, Feb 4, 2009 at 1:59 AM Subject: Re: [gt-user] SAML based VOMS Server To: Tom Scavo <trscavo@gmail.com> Cc: GT User <gt-user@globus.org>
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_d01d46b7-d16a-4ae8-b9bb-beb8844838b6" InResponseTo="_qwertyuiopasdfghjklzxcvbn" IssueInstant="2008-10-16T19:03:57.922Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">CN= voms3.gridlab.uni-hannover.de ,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_81b685e5-4650-4ba9-b1c6-0ed957cc33ac" IssueInstant="2008-10-16T19:03:57.920Z" Version="2.0"> <saml:Issuer>CN=voms3.gridlab.uni-hannover.de ,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1 "/> <ds:Reference URI="#_81b685e5-4650-4ba9-b1c6-0ed957cc33ac"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# "><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs"/></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>j55K/cn8GQNuTQ52Kr3r0NGRJ0w=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> ... </ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature> <saml:Subject> <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Benjamin Henne,OU=UniHannover,O=GermanGrid,C=DE</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:SubjectConfirmationData> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2008-10-16T19:03:57.920Z" NotOnOrAfter="2008-10-17T06:03:57.920Z"/> <saml:AttributeStatement> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">VO-Admin@/RVS</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">resass@/RVS/education</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff@/RVS/research/SAML</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="nationality" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">German</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS/education</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS/research</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </Response>
Hi Weizhong, can you be more specific? The issues Tom pointed at are all valid, and we will for sure address them. But what would be that prevent using the assertion with WS-Security (when correctness of the SAML assertion will be fixed)? SOAP message layer authentication ins't in the scope of the Strawmann profile, which mandates SSL/TLS mutual authn. Valerio On Mon, 2009-03-30 at 16:25 +0200, weizhong qiang wrote:
hi voms folks, all, The current voms SAML assertion is not compatible with WS-Security SAML Token profile. I would ask is there any plan to change it to make it be compatible? I ask this because I think if so, the SAML assertion can be used for SOAP message layer authentication, other than just including SAML attribute assertion.
Thanks Weizhong Qiang
On Tue, Feb 10, 2009 at 5:21 AM, Tom Scavo <trscavo@gmail.com> wrote: Thanks to Benjamin for posting this VOMS-SAML response to gt-user. A critique (of the SAML, not Benjamin :) follows.
- Note that the output is a <samlp:Response> element, not a <saml:Assertion> element. This is wrong. The requester must consume the response. Not sure why this isn't happening.
- The value of the <saml:Issuer> element in the response is a DN but the Format XML attribute is missing. This is a bug. The default Format is "unspecified" but clearly this is not.
- Second-level status codes are desirable so they can be echoed on the command line (if any).
- Same comment about the <saml:Issuer> element in the assertion.
- The use of SAML metadata requires that the Format on the <saml:Issuer> element be "entity" but clearly it is not. Thus the use of SAML metadata by the relying party is precluded.
- Don't know if Shibboleth/OpenSAML can verify the signature (which is tricky business). This is a future experiment that needs to be done.
- The <saml:SubjectConfirmation> element contains a <ds:X509Certificate> element, which precludes the binding of this holder-of-key assertion to a proxy certificate. This is a bug. Use a <ds:X509SubjectName> element instead (which causes the NameID itself to be redundant).
- If the assertion is bound to a proxy certificate, the NotBefore and NotOnOrAfter attributes are redundant and superfluous. In fact, they may be wrong since they must agree with the NotBefore and NotOnOrAfter fields of the proxy.
- Since the client authenticated directly to the server, a <saml:AuthnStatement> is desirable (not required, but potentially useful at the relying party).
- The NameFormat XML attribute on the <saml:Attribute> element should be "uri" not "unspecified".
- The "xsi:" prefix on the <saml:AttributeValue> element is undefined. This is a bug.
- The <saml:AttributeValue> elements do not conform to the XACML Attribute Profile (actually, I don't think the attributes conform to *any* SAML V2.0 attribute profile).
Hope this helps, Tom
---------- Forwarded message ---------- From: Benjamin Henne <henne@rvs.uni-hannover.de> Date: Wed, Feb 4, 2009 at 1:59 AM Subject: Re: [gt-user] SAML based VOMS Server To: Tom Scavo <trscavo@gmail.com> Cc: GT User <gt-user@globus.org>
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_d01d46b7-d16a-4ae8-b9bb-beb8844838b6" InResponseTo="_qwertyuiopasdfghjklzxcvbn" IssueInstant="2008-10-16T19:03:57.922Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">CN=voms3.gridlab.uni-hannover.de,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_81b685e5-4650-4ba9-b1c6-0ed957cc33ac" IssueInstant="2008-10-16T19:03:57.920Z" Version="2.0">
<saml:Issuer>CN=voms3.gridlab.uni-hannover.de,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_81b685e5-4650-4ba9-b1c6-0ed957cc33ac"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs"/></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>j55K/cn8GQNuTQ52Kr3r0NGRJ0w=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> ... </ds:SignatureValue> <ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Benjamin Henne,OU=UniHannover,O=GermanGrid,C=DE</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:SubjectConfirmationData> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2008-10-16T19:03:57.920Z" NotOnOrAfter="2008-10-17T06:03:57.920Z"/> <saml:AttributeStatement> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">VO-Admin@/RVS</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">resass@/RVS/education</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff@/RVS/research/SAML</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="nationality" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">German</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS/education</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS/research</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </Response>
On Mon, Mar 30, 2009 at 5:07 PM, Valerio Venturi < valerio.venturi@cnaf.infn.it> wrote:
Hi Weizhong, can you be more specific? The issues Tom pointed at are all valid, and we will for sure address them. But what would be that prevent using the assertion with WS-Security (when correctness of the SAML assertion will be fixed)? SOAP message layer authentication ins't in the scope of the Strawmann profile, which mandates SSL/TLS mutual authn.
Yes, it is not in the Strawman profile. But I think it does not hurt if the WS client can get standardized SAML token from voms saml service, and optionally uses it for SOAP message authentication. Of cause, the condition is the compliance of this standarlization does not conflict to the compliance of the other stadarlizations. Cheers Weizhong
Valerio
On Mon, 2009-03-30 at 16:25 +0200, weizhong qiang wrote:
hi voms folks, all, The current voms SAML assertion is not compatible with WS-Security SAML Token profile. I would ask is there any plan to change it to make it be compatible? I ask this because I think if so, the SAML assertion can be used for SOAP message layer authentication, other than just including SAML attribute assertion.
Thanks Weizhong Qiang
On Tue, Feb 10, 2009 at 5:21 AM, Tom Scavo <trscavo@gmail.com> wrote: Thanks to Benjamin for posting this VOMS-SAML response to gt-user. A critique (of the SAML, not Benjamin :) follows.
- Note that the output is a <samlp:Response> element, not a <saml:Assertion> element. This is wrong. The requester must consume the response. Not sure why this isn't happening.
- The value of the <saml:Issuer> element in the response is a DN but the Format XML attribute is missing. This is a bug. The default Format is "unspecified" but clearly this is not.
- Second-level status codes are desirable so they can be echoed on the command line (if any).
- Same comment about the <saml:Issuer> element in the assertion.
- The use of SAML metadata requires that the Format on the <saml:Issuer> element be "entity" but clearly it is not. Thus the use of SAML metadata by the relying party is precluded.
- Don't know if Shibboleth/OpenSAML can verify the signature (which is tricky business). This is a future experiment that needs to be done.
- The <saml:SubjectConfirmation> element contains a <ds:X509Certificate> element, which precludes the binding of this holder-of-key assertion to a proxy certificate. This is a bug. Use a <ds:X509SubjectName> element instead (which causes the NameID itself to be redundant).
- If the assertion is bound to a proxy certificate, the NotBefore and NotOnOrAfter attributes are redundant and superfluous. In fact, they may be wrong since they must agree with the NotBefore and NotOnOrAfter fields of the proxy.
- Since the client authenticated directly to the server, a <saml:AuthnStatement> is desirable (not required, but potentially useful at the relying party).
- The NameFormat XML attribute on the <saml:Attribute> element should be "uri" not "unspecified".
- The "xsi:" prefix on the <saml:AttributeValue> element is undefined. This is a bug.
- The <saml:AttributeValue> elements do not conform to the XACML Attribute Profile (actually, I don't think the attributes conform to *any* SAML V2.0 attribute profile).
Hope this helps, Tom
---------- Forwarded message ---------- From: Benjamin Henne <henne@rvs.uni-hannover.de> Date: Wed, Feb 4, 2009 at 1:59 AM Subject: Re: [gt-user] SAML based VOMS Server To: Tom Scavo <trscavo@gmail.com> Cc: GT User <gt-user@globus.org>
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_d01d46b7-d16a-4ae8-b9bb-beb8844838b6" InResponseTo="_qwertyuiopasdfghjklzxcvbn" IssueInstant="2008-10-16T19:03:57.922Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">CN= voms3.gridlab.uni-hannover.de ,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_81b685e5-4650-4ba9-b1c6-0ed957cc33ac" IssueInstant="2008-10-16T19:03:57.920Z" Version="2.0">
<saml:Issuer>CN=voms3.gridlab.uni-hannover.de ,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_81b685e5-4650-4ba9-b1c6-0ed957cc33ac"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature "/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# "><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs"/></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>j55K/cn8GQNuTQ52Kr3r0NGRJ0w=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> ... </ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject> <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Benjamin
Henne,OU=UniHannover,O=GermanGrid,C=DE</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:SubjectConfirmationData> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2008-10-16T19:03:57.920Z" NotOnOrAfter="2008-10-17T06:03:57.920Z"/> <saml:AttributeStatement> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/roles"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">VO-Admin@/RVS</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">resass@/RVS/education</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff@
/RVS/research/SAML</saml:AttributeValue>
</saml:Attribute> <saml:Attribute Name="nationality"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">German</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/group"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS/education</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS/research</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </Response>
participants (2)
-
Valerio Venturi -
weizhong qiang